<!DOCTYPE html>
<html lang="zh-Hans">
    <!-- title -->




<!-- keywords -->




<head><meta name="generator" content="Hexo 3.9.0">
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=no">
    <meta name="author" content="S1xHcL">
    <meta name="renderer" content="webkit">
    <meta name="copyright" content="S1xHcL">
    
    <meta name="keywords" content="hexo,hexo-theme,hexo-blog">
    
    <meta name="description" content="万般皆苦 唯有自渡">
    <meta http-equiv="Cache-control" content="no-cache">
    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
    <title>CVE-2019-0708 复现 · S1xHcL&#39;s Blog</title>
    <style type="text/css">
    @font-face {
        font-family: 'Oswald-Regular';
        src: url("/font/Oswald-Regular.ttf");
    }

    body {
        margin: 0;
    }

    header,
    footer,
    .back-top,
    .sidebar,
    .container,
    .site-intro-meta,
    .toc-wrapper {
        display: none;
    }

    .site-intro {
        position: relative;
        z-index: 3;
        width: 100%;
        /* height: 50vh; */
        overflow: hidden;
    }

    .site-intro-placeholder {
        position: absolute;
        z-index: -2;
        top: 0;
        left: 0;
        width: calc(100% + 300px);
        height: 100%;
        background: repeating-linear-gradient(-45deg, #444 0, #444 80px, #333 80px, #333 160px);
        background-position: center center;
        transform: translate3d(-226px, 0, 0);
        animation: gradient-move 2.5s ease-out 0s infinite;
    }

    @keyframes gradient-move {
        0% {
            transform: translate3d(-226px, 0, 0);
        }
        100% {
            transform: translate3d(0, 0, 0);
        }
    }

</style>

    <link rel="preload" href="/css/style.css?v=20180824" as="style" onload="this.onload=null;this.rel='stylesheet'">
    <link rel="stylesheet" href="/css/mobile.css?v=20180824" media="(max-width: 980px)">
    
    <link rel="preload" href="https://cdnjs.cloudflare.com/ajax/libs/fancybox/3.2.5/jquery.fancybox.min.css" as="style" onload="this.onload=null;this.rel='stylesheet'">
    
    <!-- /*! loadCSS. [c]2017 Filament Group, Inc. MIT License */
/* This file is meant as a standalone workflow for
- testing support for link[rel=preload]
- enabling async CSS loading in browsers that do not support rel=preload
- applying rel preload css once loaded, whether supported or not.
*/ -->
<script>
(function( w ){
	"use strict";
	// rel=preload support test
	if( !w.loadCSS ){
		w.loadCSS = function(){};
	}
	// define on the loadCSS obj
	var rp = loadCSS.relpreload = {};
	// rel=preload feature support test
	// runs once and returns a function for compat purposes
	rp.support = (function(){
		var ret;
		try {
			ret = w.document.createElement( "link" ).relList.supports( "preload" );
		} catch (e) {
			ret = false;
		}
		return function(){
			return ret;
		};
	})();

	// if preload isn't supported, get an asynchronous load by using a non-matching media attribute
	// then change that media back to its intended value on load
	rp.bindMediaToggle = function( link ){
		// remember existing media attr for ultimate state, or default to 'all'
		var finalMedia = link.media || "all";

		function enableStylesheet(){
			link.media = finalMedia;
		}

		// bind load handlers to enable media
		if( link.addEventListener ){
			link.addEventListener( "load", enableStylesheet );
		} else if( link.attachEvent ){
			link.attachEvent( "onload", enableStylesheet );
		}

		// Set rel and non-applicable media type to start an async request
		// note: timeout allows this to happen async to let rendering continue in IE
		setTimeout(function(){
			link.rel = "stylesheet";
			link.media = "only x";
		});
		// also enable media after 3 seconds,
		// which will catch very old browsers (android 2.x, old firefox) that don't support onload on link
		setTimeout( enableStylesheet, 3000 );
	};

	// loop through link elements in DOM
	rp.poly = function(){
		// double check this to prevent external calls from running
		if( rp.support() ){
			return;
		}
		var links = w.document.getElementsByTagName( "link" );
		for( var i = 0; i < links.length; i++ ){
			var link = links[ i ];
			// qualify links to those with rel=preload and as=style attrs
			if( link.rel === "preload" && link.getAttribute( "as" ) === "style" && !link.getAttribute( "data-loadcss" ) ){
				// prevent rerunning on link
				link.setAttribute( "data-loadcss", true );
				// bind listeners to toggle media back
				rp.bindMediaToggle( link );
			}
		}
	};

	// if unsupported, run the polyfill
	if( !rp.support() ){
		// run once at least
		rp.poly();

		// rerun poly on an interval until onload
		var run = w.setInterval( rp.poly, 500 );
		if( w.addEventListener ){
			w.addEventListener( "load", function(){
				rp.poly();
				w.clearInterval( run );
			} );
		} else if( w.attachEvent ){
			w.attachEvent( "onload", function(){
				rp.poly();
				w.clearInterval( run );
			} );
		}
	}


	// commonjs
	if( typeof exports !== "undefined" ){
		exports.loadCSS = loadCSS;
	}
	else {
		w.loadCSS = loadCSS;
	}
}( typeof global !== "undefined" ? global : this ) );
</script>

    <link rel="icon" href="/assets/Satamoto.ico">
    <link rel="preload" href="https://cdn.jsdelivr.net/npm/webfontloader@1.6.28/webfontloader.min.js" as="script">
    <link rel="preload" href="https://cdn.jsdelivr.net/npm/jquery@3.3.1/dist/jquery.min.js" as="script">
    <link rel="preload" href="/scripts/main.js" as="script">
    <link rel="preload" as="font" href="/font/Oswald-Regular.ttf" crossorigin>
    <link rel="preload" as="font" href="https://at.alicdn.com/t/font_327081_1dta1rlogw17zaor.woff" crossorigin>
    
    <!-- fancybox -->
    <script src="https://cdnjs.cloudflare.com/ajax/libs/fancybox/3.2.5/jquery.fancybox.min.js" defer></script>
    <!-- 百度统计  -->
    
    <!-- 谷歌统计  -->
    
</head>

    
        <body class="post-body">
    
    
<header class="header">

    <div class="read-progress"></div>
    <div class="header-sidebar-menu">&#xe775;</div>
    <!-- post页的toggle banner  -->
    
    <div class="banner">
            <div class="blog-title">
                <a href="/" >S1xHcL&#39;s Blog</a>
            </div>
            <div class="post-title">
                <a href="#" class="post-name">CVE-2019-0708 复现</a>
            </div>
    </div>
    
    <a class="home-link" href=/>S1xHcL's Blog</a>
</header>
    <div class="wrapper">
        <div class="site-intro" style="







height:50vh;
">
    
    <!-- 主页  -->
    
    
    <!-- 404页  -->
            
    <div class="site-intro-placeholder"></div>
    <div class="site-intro-img" style="background-image: url(https://source.unsplash.com/random)"></div>
    <div class="site-intro-meta">
        <!-- 标题  -->
        <h1 class="intro-title">
            <!-- 主页  -->
            
            CVE-2019-0708 复现
            <!-- 404 -->
            
        </h1>
        <!-- 副标题 -->
        <p class="intro-subtitle">
            <!-- 主页副标题  -->
            
            
            <!-- 404 -->
            
        </p>
        <!-- 文章页meta -->
        
            <div class="post-intros">
                <!-- 文章页标签  -->
                
                    <div class= post-intro-tags >
    
        <a class="post-tag" href="javascript:void(0);" data-tags = "Windows">Windows</a>
    
        <a class="post-tag" href="javascript:void(0);" data-tags = "CVE">CVE</a>
    
        <a class="post-tag" href="javascript:void(0);" data-tags = "RDP">RDP</a>
    
</div>
                
                
                    <div class="post-intro-read">
                        <span>字数统计: <span class="post-count word-count">779</span>阅读时长: <span class="post-count reading-time">3 min</span></span>
                    </div>
                
                <div class="post-intro-meta">
                    <span class="post-intro-calander iconfont-archer">&#xe676;</span>
                    <span class="post-intro-time">2019/09/09</span>
                    
                    <span id="busuanzi_container_page_pv" class="busuanzi-pv">
                        <span class="iconfont-archer">&#xe602;</span>
                        <span id="busuanzi_value_page_pv"></span>
                    </span>
                    
                    <span class="shareWrapper">
                        <span class="iconfont-archer shareIcon">&#xe71d;</span>
                        <span class="shareText">Share</span>
                        <ul class="shareList">
                            <li class="iconfont-archer share-qr" data-type="qr">&#xe75b;
                                <div class="share-qrcode"></div>
                            </li>
                            <li class="iconfont-archer" data-type="weibo">&#xe619;</li>
                            <li class="iconfont-archer" data-type="qzone">&#xe62e;</li>
                            <li class="iconfont-archer" data-type="twitter">&#xe634;</li>
                            <li class="iconfont-archer" data-type="facebook">&#xe67a;</li>
                        </ul>
                    </span>
                </div>
            </div>
        
    </div>
</div>
        <script>
 
  // get user agent
  var browser = {
    versions: function () {
      var u = window.navigator.userAgent;
      return {
        userAgent: u,
        trident: u.indexOf('Trident') > -1, //IE内核
        presto: u.indexOf('Presto') > -1, //opera内核
        webKit: u.indexOf('AppleWebKit') > -1, //苹果、谷歌内核
        gecko: u.indexOf('Gecko') > -1 && u.indexOf('KHTML') == -1, //火狐内核
        mobile: !!u.match(/AppleWebKit.*Mobile.*/), //是否为移动终端
        ios: !!u.match(/\(i[^;]+;( U;)? CPU.+Mac OS X/), //ios终端
        android: u.indexOf('Android') > -1 || u.indexOf('Linux') > -1, //android终端或者uc浏览器
        iPhone: u.indexOf('iPhone') > -1 || u.indexOf('Mac') > -1, //是否为iPhone或者安卓QQ浏览器
        iPad: u.indexOf('iPad') > -1, //是否为iPad
        webApp: u.indexOf('Safari') == -1, //是否为web应用程序，没有头部与底部
        weixin: u.indexOf('MicroMessenger') == -1, //是否为微信浏览器
        uc: u.indexOf('UCBrowser') > -1 //是否为android下的UC浏览器
      };
    }()
  }
  console.log("userAgent:" + browser.versions.userAgent);

  // callback
  function fontLoaded() {
    console.log('font loaded');
    if (document.getElementsByClassName('site-intro-meta')) {
      document.getElementsByClassName('intro-title')[0].classList.add('intro-fade-in');
      document.getElementsByClassName('intro-subtitle')[0].classList.add('intro-fade-in');
      var postIntros = document.getElementsByClassName('post-intros')[0]
      if (postIntros) {
        postIntros.classList.add('post-fade-in');
      }
    }
  }

  // UC不支持跨域，所以直接显示
  function asyncCb(){
    if (browser.versions.uc) {
      console.log("UCBrowser");
      fontLoaded();
    } else {
      WebFont.load({
        custom: {
          families: ['Oswald-Regular']
        },
        loading: function () {  //所有字体开始加载
          // console.log('loading');
        },
        active: function () {  //所有字体已渲染
          fontLoaded();
        },
        inactive: function () { //字体预加载失败，无效字体或浏览器不支持加载
          console.log('inactive: timeout');
          fontLoaded();
        },
        timeout: 5000 // Set the timeout to two seconds
      });
    }
  }

  function asyncErr(){
    console.warn('script load from CDN failed, will load local script')
  }

  // load webfont-loader async, and add callback function
  function async(u, cb, err) {
    var d = document, t = 'script',
      o = d.createElement(t),
      s = d.getElementsByTagName(t)[0];
    o.src = u;
    if (cb) { o.addEventListener('load', function (e) { cb(null, e); }, false); }
    if (err) { o.addEventListener('error', function (e) { err(null, e); }, false); }
    s.parentNode.insertBefore(o, s);
  }

  var asyncLoadWithFallBack = function(arr, success, reject) {
      var currReject = function(){
        reject()
        arr.shift()
        if(arr.length)
          async(arr[0], success, currReject)
        }

      async(arr[0], success, currReject)
  }

  asyncLoadWithFallBack([
    "https://cdn.jsdelivr.net/npm/webfontloader@1.6.28/webfontloader.min.js", 
    "https://cdn.bootcss.com/webfont/1.6.28/webfontloader.js",
    "/lib/webfontloader.min.js"
  ], asyncCb, asyncErr)
</script>        
        <img class="loading" src="/assets/loading.svg" style="display: block; margin: 6rem auto 0 auto; width: 6rem; height: 6rem;" />
        <div class="container container-unloaded">
            <main class="main post-page">
    <article class="article-entry">
        <h1 id="0x01-概要"><a href="#0x01-概要" class="headerlink" title="0x01 概要"></a>0x01 概要</h1><p>上周末更新 <code>CVE-2019-0708</code> ， 经过踩坑现在可以对特定机器进行攻击</p>
<h1 id="0x02-影响范围"><a href="#0x02-影响范围" class="headerlink" title="0x02 影响范围"></a>0x02 影响范围</h1><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">Exploit targets:</span><br><span class="line"></span><br><span class="line">   Id  Name</span><br><span class="line">   --  ----</span><br><span class="line">   0   Automatic targeting via fingerprinting</span><br><span class="line">   1   Windows 7 SP1 / 2008 R2 (6.1.7601 x64)</span><br><span class="line">   2   Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Virtualbox)</span><br><span class="line">   3   Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare)</span><br><span class="line">   4   Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Hyper-V)</span><br></pre></td></tr></table></figure>

<p>经测试，目前所公布的 <code>exp</code> 仅对虚拟机有效果</p>
<h1 id="0x03-漏洞环境"><a href="#0x03-漏洞环境" class="headerlink" title="0x03 漏洞环境"></a>0x03 漏洞环境</h1><p>本次的漏洞需要配置 <code>Windows</code> 和 <code>Kali Linux</code> 两种环境</p>
<h2 id="Windows-环境配置"><a href="#Windows-环境配置" class="headerlink" title="Windows 环境配置"></a>Windows 环境配置</h2><h3 id="系统安装"><a href="#系统安装" class="headerlink" title="系统安装"></a>系统安装</h3><p>本篇使用 <code>Vmware</code> 安装 <code>Windows 7 sp1 旗舰版</code></p>
<blockquote>
<p>Windows 7 sp1 下载链接：<br>ed2k://|file|cn_windows_7_ultimate_with_sp1_x64_dvd_u_677408.iso|3420557312|B58548681854236C7939003B583A8078|/  </p>
</blockquote>
<p><img src="https://s2.ax1x.com/2019/09/09/nJgJ4x.png" alt="ver"></p>
<h3 id="关闭防火墙"><a href="#关闭防火墙" class="headerlink" title="关闭防火墙"></a>关闭防火墙</h3><p><img src="https://s2.ax1x.com/2019/09/09/ntKiTI.png" alt="fire"></p>
<h3 id="远程桌面设置"><a href="#远程桌面设置" class="headerlink" title="远程桌面设置"></a>远程桌面设置</h3><p>开启3389端口</p>
<p><img src="https://s2.ax1x.com/2019/09/09/nJR3fx.png" alt="3389"></p>
<p>在【控制面板】-【系统和安全】-【系统】-【远程设置】-【远程】中选择允许运行任意版本远程桌面的计算机连接</p>
<p><img src="https://s2.ax1x.com/2019/09/09/nJRZlT.png" alt="mstsc"></p>
<h2 id="Kali-Linux-环境配置"><a href="#Kali-Linux-环境配置" class="headerlink" title="Kali Linux 环境配置"></a>Kali Linux 环境配置</h2><p><code>Kali</code> 中我们自己将攻击套件放到 <code>msf</code> 相对应文件夹中</p>
<h2 id="bluekeep-exploit-下载"><a href="#bluekeep-exploit-下载" class="headerlink" title="bluekeep-exploit 下载"></a>bluekeep-exploit 下载</h2><blockquote>
<p><a href="https://github.com/TinToSer/bluekeep-exploit" target="_blank" rel="noopener">https://github.com/TinToSer/bluekeep-exploit</a></p>
</blockquote>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">cve_2019_0708_bluekeep_rce.rb -&gt; /usr/share/metasploit-framework/modules/exploits/windows/rdp/</span><br><span class="line">rdp.rb -&gt; /usr/share/metasploit-framework/lib/msf/core/exploit/rdp.rb</span><br><span class="line">rdp_scanner.rb -&gt; /usr/share//metasploit-framework/modules/auxiliary/scanner/rdp/rdp_scanner.rb</span><br><span class="line">cve_2019_0708_bluekeep.rb -&gt; /usr/share/metasploit-framework/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb</span><br></pre></td></tr></table></figure>

<p> <code>cve_2019_0708_bluekeep_rce.rb</code> 需要自行添加文件夹，其余直接覆盖和替换原有文件即可</p>
<p>注意：添加完4个 <code>.rb</code> 文件后，需要先进入 <code>metasploit-framework</code> 使用 <code>reload_all</code> 命令重新加载0708RDP利用模块。</p>
<p>如果出现报错，请查看本篇第5部分</p>
<h1 id="0x04-漏洞攻击"><a href="#0x04-漏洞攻击" class="headerlink" title="0x04 漏洞攻击"></a>0x04 漏洞攻击</h1><ol>
<li>使用 0708 攻击模块</li>
</ol>
<p><img src="https://s2.ax1x.com/2019/09/09/ntrPxg.png" alt="use"></p>
<ol start="2">
<li>设置 RHOSTS （设置被攻击机IP）</li>
</ol>
<p><img src="https://s2.ax1x.com/2019/09/09/ntrdzD.png" alt="ip"></p>
<ol start="3">
<li>设置 targets （设置被攻击机型号）</li>
</ol>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">Exploit targets:</span><br><span class="line"></span><br><span class="line">   Id  Name</span><br><span class="line">   --  ----</span><br><span class="line">   0   Automatic targeting via fingerprinting</span><br><span class="line">   1   Windows 7 SP1 / 2008 R2 (6.1.7601 x64)</span><br><span class="line">   2   Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Virtualbox)</span><br><span class="line">   3   Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare)</span><br><span class="line">   4   Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Hyper-V)</span><br></pre></td></tr></table></figure>

<p>我们使用的是 Vmware ，所以 target 设置为 3</p>
<p><img src="https://s2.ax1x.com/2019/09/09/ntr6ot.png" alt="targets"></p>
<ol start="4">
<li>攻击</li>
</ol>
<p><img src="https://s2.ax1x.com/2019/09/09/ntsmmd.png" alt="exp"></p>
<p>攻击成功</p>
<hr>
<p>注：使用 <code>info</code> 可查看相关工具信息，使用 <code>show options</code> 可查看相关设置详情。另外，端口一般默认为3389，如有改动自行设置即可。</p>
<p><img src="https://s2.ax1x.com/2019/09/09/ntsyX4.png" alt="options"></p>
<h1 id="0x05-常见报错汇总"><a href="#0x05-常见报错汇总" class="headerlink" title="0x05 常见报错汇总"></a>0x05 常见报错汇总</h1><h2 id="reload-all-加载失败"><a href="#reload-all-加载失败" class="headerlink" title="reload_all 加载失败"></a>reload_all 加载失败</h2><p><img src="https://s2.ax1x.com/2019/09/09/ntcPkn.png" alt="error1"></p>
<p>解决方法：更新 <code>msf</code> 到最新版 <code>5.0.46-dev</code></p>
<blockquote>
<p>中科大源</p>
</blockquote>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">#中科大</span><br><span class="line">deb http://mirrors.ustc.edu.cn/kali kali-rolling main non-free contrib</span><br><span class="line">deb-src http://mirrors.ustc.edu.cn/kali kali-rolling main non-free contrib</span><br></pre></td></tr></table></figure>

<h2 id="攻击失败1"><a href="#攻击失败1" class="headerlink" title="攻击失败1"></a>攻击失败1</h2><p><img src="https://s2.ax1x.com/2019/09/09/ntcOE9.png" alt="error2"></p>
<p>提示不存在该漏洞</p>
<p>解决方法：</p>
<ol>
<li>所使用的系统有问题（目前exp仅支持对win7 sp1 旗舰版/专业版 和 Win2008 R2）</li>
<li>远程桌面选项有误（参照本篇漏洞环境配置远程桌面部分）</li>
</ol>
<h2 id="攻击失败2"><a href="#攻击失败2" class="headerlink" title="攻击失败2"></a>攻击失败2</h2><p><img src="https://s2.ax1x.com/2019/09/09/nt2Mz6.png" alt="error3"></p>
<p>解决方法：</p>
<p>重新导入 <code>bluekeep-exploit</code> 中4个rb文件 </p>
<h1 id="0x06-补充"><a href="#0x06-补充" class="headerlink" title="0x06 补充"></a>0x06 补充</h1><p>Windows 2008 R2 版本利用需要先修改注册表信息</p>
<blockquote>
<p>HKLM\SYSTEM\CurrentControlSet\Control\TerminalServer\Winstations\RDP-Tcp\fDisableCam = 0</p>
</blockquote>
<p>或者直接执行命令</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">@echo offcolor 1c sc config MpsSvc start= auto sc start MpsSvc reg add &quot;HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server&quot; /v &quot;fDenyTSConnections&quot; /t REG_DWORD /d 0 /f</span><br></pre></td></tr></table></figure>

<h1 id="0x07-后话"><a href="#0x07-后话" class="headerlink" title="0x07 后话"></a>0x07 后话</h1><p>目前所公开的exp利用条件过多，如果有失败也属于正常现象<br>耐心等待更多的exp</p>

    </article>
    <!-- license  -->
    
    <!-- paginator  -->
    <ul class="post-paginator">
        <li class="next">
            
                <div class="nextSlogan">Next Post</div>
                <a href= "/2019/09/10/利用微信DLL劫持获取shell/" title= "利用微信DLL劫持获取shell">
                    <div class="nextTitle">利用微信DLL劫持获取shell</div>
                </a>
            
        </li>
        <li class="previous">
            
                <div class="prevSlogan">Previous Post</div>
                <a href= "/2019/08/20/局域网内ARP欺骗/" title= "局域网内ARP欺骗">
                    <div class="prevTitle">局域网内ARP欺骗</div>
                </a>
            
        </li>
    </ul>
    <!-- 评论插件 -->
    <!-- 来必力City版安装代码 -->

<!-- City版安装代码已完成 -->
    
    
    <!-- partial('_partial/comment/changyan') -->
    <!--PC版-->


    
    

    <!-- 评论 -->
</main>
            <!-- profile -->
            
        </div>
        <footer class="footer footer-unloaded">
    <!-- social  -->
    
    <div class="social">
        
    
        
            
                <a href="mailto:lcug1416@gmail.com" class="iconfont-archer email" title=email ></a>
            
        
    
        
            
                <a href="//github.com/S1xHcL" class="iconfont-archer github" target="_blank" title=github></a>
            
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
    

    </div>
    
    <!-- powered by Hexo  -->
    <div class="copyright">
        <span id="hexo-power">Powered by <a href="https://hexo.io/" target="_blank">Hexo</a></span><span class="iconfont-archer power">&#xe635;</span><span id="theme-info">theme <a href="https://github.com/fi3ework/hexo-theme-archer" target="_blank">Archer</a></span>
    </div>
    <!-- 不蒜子  -->
    
    <div class="busuanzi-container">
    
     
    <span id="busuanzi_container_site_pv">PV: <span id="busuanzi_value_site_pv"></span> :)</span>
    
    </div>
    
</footer>
    </div>
    <!-- toc -->
    
    <div class="toc-wrapper" style=
    







top:50vh;

    >
        <div class="toc-catalog">
            <span class="iconfont-archer catalog-icon">&#xe613;</span><span>CATALOG</span>
        </div>
        <ol class="toc"><li class="toc-item toc-level-1"><a class="toc-link" href="#0x01-概要"><span class="toc-number">1.</span> <span class="toc-text">0x01 概要</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#0x02-影响范围"><span class="toc-number">2.</span> <span class="toc-text">0x02 影响范围</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#0x03-漏洞环境"><span class="toc-number">3.</span> <span class="toc-text">0x03 漏洞环境</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#Windows-环境配置"><span class="toc-number">3.1.</span> <span class="toc-text">Windows 环境配置</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#系统安装"><span class="toc-number">3.1.1.</span> <span class="toc-text">系统安装</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#关闭防火墙"><span class="toc-number">3.1.2.</span> <span class="toc-text">关闭防火墙</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#远程桌面设置"><span class="toc-number">3.1.3.</span> <span class="toc-text">远程桌面设置</span></a></li></ol></li><li class="toc-item toc-level-2"><a class="toc-link" href="#Kali-Linux-环境配置"><span class="toc-number">3.2.</span> <span class="toc-text">Kali Linux 环境配置</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#bluekeep-exploit-下载"><span class="toc-number">3.3.</span> <span class="toc-text">bluekeep-exploit 下载</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#0x04-漏洞攻击"><span class="toc-number">4.</span> <span class="toc-text">0x04 漏洞攻击</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#0x05-常见报错汇总"><span class="toc-number">5.</span> <span class="toc-text">0x05 常见报错汇总</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#reload-all-加载失败"><span class="toc-number">5.1.</span> <span class="toc-text">reload_all 加载失败</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#攻击失败1"><span class="toc-number">5.2.</span> <span class="toc-text">攻击失败1</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#攻击失败2"><span class="toc-number">5.3.</span> <span class="toc-text">攻击失败2</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#0x06-补充"><span class="toc-number">6.</span> <span class="toc-text">0x06 补充</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#0x07-后话"><span class="toc-number">7.</span> <span class="toc-text">0x07 后话</span></a></li></ol>
    </div>
    
    <div class="back-top iconfont-archer">&#xe639;</div>
    <div class="sidebar sidebar-hide">
    <ul class="sidebar-tabs sidebar-tabs-active-0">
        <li class="sidebar-tab-archives"><span class="iconfont-archer">&#xe67d;</span><span class="tab-name">Archive</span></li>
        <li class="sidebar-tab-tags"><span class="iconfont-archer">&#xe61b;</span><span class="tab-name">Tag</span></li>
        <li class="sidebar-tab-categories"><span class="iconfont-archer">&#xe666;</span><span class="tab-name">Cate</span></li>
    </ul>
    <div class="sidebar-content sidebar-content-show-archive">
          <div class="sidebar-panel-archives">
    <!-- 在ejs中将archive按照时间排序 -->
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    <div class="total-and-search">
        <div class="total-archive">
        Total : 11
        </div>
        <!-- search  -->
        
    </div>
    
    <div class="post-archive">
    
    
    
    
    <div class="archive-year"> 2019 </div>
    <ul class="year-list">
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">09/10</span><a class="archive-post-title" href= "/2019/09/10/利用微信DLL劫持获取shell/" >利用微信DLL劫持获取shell</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">09/09</span><a class="archive-post-title" href= "/2019/09/09/CVE-2019-0708-复现/" >CVE-2019-0708 复现</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">08/20</span><a class="archive-post-title" href= "/2019/08/20/局域网内ARP欺骗/" >局域网内ARP欺骗</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">08/07</span><a class="archive-post-title" href= "/2019/08/07/关于cors的漏洞利用/" >关于cors的漏洞利用</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">08/04</span><a class="archive-post-title" href= "/2019/08/04/DVWA学习总结之CSRF/" >DVWA学习总结之CSRF</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">08/01</span><a class="archive-post-title" href= "/2019/08/01/33款APP安全性测试总结/" >33款APP安全性测试总结</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">07/31</span><a class="archive-post-title" href= "/2019/07/31/工作小记_1/" >工作小记</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">07/21</span><a class="archive-post-title" href= "/2019/07/21/DVWA学习总结之Brute-Force/" >DVWA学习总结之Brute Force</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">06/20</span><a class="archive-post-title" href= "/2019/06/20/知道创宇面试题归档/" >知道创宇面试题归档</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">06/06</span><a class="archive-post-title" href= "/2019/06/06/VMware-无法联网问题解决/" >VMware-无法联网问题解决</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">05/06</span><a class="archive-post-title" href= "/2019/05/06/2019-ISCC-WriteUp【web】/" >2019-ISCC-WriteUp【web】</a>
        </li>
    
    </div>
  </div>
        <div class="sidebar-panel-tags">
    <div class="sidebar-tags-name">
    
        <span class="sidebar-tag-name" data-tags="Windows"><span class="iconfont-archer">&#xe606;</span>Windows</span>
    
        <span class="sidebar-tag-name" data-tags="CVE"><span class="iconfont-archer">&#xe606;</span>CVE</span>
    
        <span class="sidebar-tag-name" data-tags="RDP"><span class="iconfont-archer">&#xe606;</span>RDP</span>
    
        <span class="sidebar-tag-name" data-tags="work"><span class="iconfont-archer">&#xe606;</span>work</span>
    
        <span class="sidebar-tag-name" data-tags="App"><span class="iconfont-archer">&#xe606;</span>App</span>
    
        <span class="sidebar-tag-name" data-tags="Web"><span class="iconfont-archer">&#xe606;</span>Web</span>
    
        <span class="sidebar-tag-name" data-tags="WriteUp"><span class="iconfont-archer">&#xe606;</span>WriteUp</span>
    
        <span class="sidebar-tag-name" data-tags="CTF"><span class="iconfont-archer">&#xe606;</span>CTF</span>
    
        <span class="sidebar-tag-name" data-tags="Tools"><span class="iconfont-archer">&#xe606;</span>Tools</span>
    
        <span class="sidebar-tag-name" data-tags="Vmware"><span class="iconfont-archer">&#xe606;</span>Vmware</span>
    
        <span class="sidebar-tag-name" data-tags="DLL"><span class="iconfont-archer">&#xe606;</span>DLL</span>
    
        <span class="sidebar-tag-name" data-tags="APT"><span class="iconfont-archer">&#xe606;</span>APT</span>
    
        <span class="sidebar-tag-name" data-tags="tips"><span class="iconfont-archer">&#xe606;</span>tips</span>
    
        <span class="sidebar-tag-name" data-tags="sqlmap"><span class="iconfont-archer">&#xe606;</span>sqlmap</span>
    
        <span class="sidebar-tag-name" data-tags="arp"><span class="iconfont-archer">&#xe606;</span>arp</span>
    
        <span class="sidebar-tag-name" data-tags="web"><span class="iconfont-archer">&#xe606;</span>web</span>
    
        <span class="sidebar-tag-name" data-tags="Dvwa"><span class="iconfont-archer">&#xe606;</span>Dvwa</span>
    
        <span class="sidebar-tag-name" data-tags="Interview"><span class="iconfont-archer">&#xe606;</span>Interview</span>
    
        <span class="sidebar-tag-name" data-tags="Work"><span class="iconfont-archer">&#xe606;</span>Work</span>
    
    </div>
    <div class="iconfont-archer sidebar-tags-empty">&#xe678;</div>
    <div class="tag-load-fail" style="display: none; color: #ccc; font-size: 0.6rem;">
    缺失模块。<br/>
    1、请确保node版本大于6.2<br/>
    2、在博客根目录（注意不是archer根目录）执行以下命令：<br/>
    <span style="color: #f75357; font-size: 1rem; line-height: 2rem;">npm i hexo-generator-json-content --save</span><br/>
    3、在根目录_config.yml里添加配置：
    <pre style="color: #787878; font-size: 0.6rem;">
jsonContent:
  meta: false
  pages: false
  posts:
    title: true
    date: true
    path: true
    text: false
    raw: false
    content: false
    slug: false
    updated: false
    comments: false
    link: false
    permalink: false
    excerpt: false
    categories: true
    tags: true</pre>
    </div> 
    <div class="sidebar-tags-list"></div>
</div>
        <div class="sidebar-panel-categories">
    <div class="sidebar-categories-name">
    
        <span class="sidebar-category-name" data-categories="CVE"><span class="iconfont-archer">&#xe60a;</span>CVE</span>
    
        <span class="sidebar-category-name" data-categories="work"><span class="iconfont-archer">&#xe60a;</span>work</span>
    
        <span class="sidebar-category-name" data-categories="CTF"><span class="iconfont-archer">&#xe60a;</span>CTF</span>
    
        <span class="sidebar-category-name" data-categories="Tools"><span class="iconfont-archer">&#xe60a;</span>Tools</span>
    
        <span class="sidebar-category-name" data-categories="CVE/EXP"><span class="iconfont-archer">&#xe60a;</span>CVE/EXP</span>
    
        <span class="sidebar-category-name" data-categories="APT"><span class="iconfont-archer">&#xe60a;</span>APT</span>
    
        <span class="sidebar-category-name" data-categories="work/tools"><span class="iconfont-archer">&#xe60a;</span>work/tools</span>
    
        <span class="sidebar-category-name" data-categories="web"><span class="iconfont-archer">&#xe60a;</span>web</span>
    
        <span class="sidebar-category-name" data-categories="CTF/Web"><span class="iconfont-archer">&#xe60a;</span>CTF/Web</span>
    
        <span class="sidebar-category-name" data-categories="CVE/EXP/MSF"><span class="iconfont-archer">&#xe60a;</span>CVE/EXP/MSF</span>
    
        <span class="sidebar-category-name" data-categories="APT/shell"><span class="iconfont-archer">&#xe60a;</span>APT/shell</span>
    
        <span class="sidebar-category-name" data-categories="Web"><span class="iconfont-archer">&#xe60a;</span>Web</span>
    
        <span class="sidebar-category-name" data-categories="Work"><span class="iconfont-archer">&#xe60a;</span>Work</span>
    
        <span class="sidebar-category-name" data-categories="work/web"><span class="iconfont-archer">&#xe60a;</span>work/web</span>
    
    </div>
    <div class="iconfont-archer sidebar-categories-empty">&#xe678;</div>
    <div class="sidebar-categories-list"></div>
</div>
    </div>
</div> 
    <script>
    var siteMeta = {
        root: "/",
        author: "S1xHcL"
    }
</script>
    <!-- CDN failover -->
    <script src="https://cdn.jsdelivr.net/npm/jquery@3.3.1/dist/jquery.min.js"></script>
    <script type="text/javascript">
        if (typeof window.$ === 'undefined')
        {
            console.warn('jquery load from jsdelivr failed, will load local script')
            document.write('<script src="/lib/jquery.min.js">\x3C/script>')
        }
    </script>
    <script src="/scripts/main.js"></script>
    <!-- algolia -->
    
    <!-- busuanzi  -->
    
    <script async src="//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script>
    
    <!-- CNZZ  -->
    
    </div>
    <!-- async load share.js -->
    
        <script src="/scripts/share.js" async></script>    
     
    </body>
</html>


